Avemaria malware

 

Tactical report of avemaria malware

 

Identification

Vendor

Detection

ALYac

Trojan.PSW.AveMaria

Kaspersky

HEUR:Trojan-Spy.Win32.AveMaria.gen

NANO-Antivirus

Trojan.Win32.AveMaria.huhbnn

 


The following table contains a list of artifacts that had been analyzed within this document.

PE timestamp

Md5

Size in bytes

File name

Description

1992-06-19 22:22:17 UTC

36a2061a6df7f0f3c608a8a140af14b3

1.29 MB (1356441 bytes)

RFQ_282008.exe

Loader

 

Technical details

Malware packed with Borland Delphi 6.0 - 7.0 [Overlay] as shown in figure (1).


Figure (1)


After unpacking file, it overwrittes file and drops new overwritten file at system directory as show in figure (2)_(3)_(4).


Figure (2)


Figure (3)





Figure (4)

It enumerates printers, and captures current window as shown in figure (5).


Figure (5)


 

PE timestamp

Md5

Size in bytes

File name

Description

2020-06-21 Sun  17:52:21 UTC

01BCA2E10EFD4379976B443F9E0E68B2

129.50 KB (132608 bytes)

TapiUnattend.exe

Dropper

 

File protected with called yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) * as shown in figure (6).


Figure (6)


It resolves Apies as shown in figure (7)_(8).


Figure (7)


Figure (8)


It creates new file called QZUebm.exe in temp path executes file as shown in figure (9) _ (10).


Figure (9)


Figure (10)


It unpacks section of code during runtime as shown in figure (11).



Figure (11)

It determines version of operating system as shown in figure (12).


Figure (12)


It gets value from registry as shown in figure (13) with the following parameters as shown in table below.


Figure (13)



hKey

HKEY_LOCAL_MACHINE

SubKey

SOFTWARE\GTplus

Value

QZUebm

 

 Command and control server

It creates thread to download malicious file from as shown in figure (14) _ (15) and executes file as shown in figure (16).


Figure (14)



Figure (15)


File name

k1.rar

Domain name

ddos.dnsnb8.net:799/cj

Path

Temp path

Full url

"http://ddos.dnsnb8.net:799/cj//k1.rar"



Figure (16)


It gets Logical drive and searches for files as shown in figure (17).


Figure (17)


It creates file at temp path as shown in figure (18) with the following parameters as shown in table below.


Figure (18)


FileName

\Temp\<8 random number and char>.bat

Access

GENERIC_READ|GENERIC_WRITE

Mode

CREATE_ALWAYS

ShareMode

0




It writes following code to previous batch and executes as shown in figure (19) _ (20), the purpose of command is deleting temp file QZUebm.exe.


Figure (19)


Figure (20)


Content of batch file

":DELFILE del "C:\Users\Mahmoud_El_Menshawy\Desktop\QZUebmexe"

if exist "C:\Users\Mahmoud_El_Menshawy\Desktop\QZUebm.exe" goto :DELFILE

del "C:\Users\MAHMOU~1\AppData\Local\Temp\637c1908.bat".


Note

For file k1.rar it can get screenshot of current window, get cashes and other stealing functions. It also connects to ip address  make tcp connection to ip address 45[.]199[.]111[.]154  which is related to DXTL Tseung Kwan O Service as shown in figure (21).



Figure (21)


Reference:

  • https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html.
  • https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/.
  • https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/.
If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA




Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.

linkedin profile : https://www.linkedin.com/in/mahmoudmorsy1/.

















Comments

Post a Comment

Popular posts from this blog

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH...
Read more

Phishing Attacks 3_3_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 45.137.22.124 From "Cheng Yong"<rosa@franball.net>" Subject "RV: Shipping advice - 2nd container under ct.876" Attachment "SHIPPING ADVICE#202203.zip" MD5 aa2d18552a8d5041e4c757cee09f2c4d SHA256 0628b564bad3c4e59644e91398899f88143aa2eb3473e720270fb1566c628d60 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .       (2) Sender ip 2.56.56.35 From "contato@vastoverde.com.br" Subject "fwd :Outstanding Remittance payment" Attachment "receipt_pdf.z" ...
Read more

Phishing Attacks 15_12_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 37.0.10.173 From "Mona Bharti <m.bhart@frigel.com>" Subject "Purchase Order 1212200205_PR21220055" Attachment "Purchase Order 1212200205_PR21220055.zip" MD5 5e1c9b4e130a7a9bb68ed6e6f414ff20 SHA256 0ba7a7c7189d5bcd38048ba7418ff521d6a00ab36804b8980c4d51ba43fcf070 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .          (2) Sender ip 45.137.22.181 From "ajay.katoch@unilever.com" Subject "RE: invoice & packing list for shipping order no. 411301" Attachment ...
Read more